Secrecy Analysis in Protocol Composition Logic

Extending a compositional protocol logic with an induction rule for secrecy, we prove soundness for a conventional symbolic protocol execution model, adapt and extend previous composition theorems, and illustrate the logic by proving properties of two key agreement protocols. The first example is a variant of the Needham-Schroeder protocol that illustrates the ability to reason about temporary secrets. The second example is Kerberos V5. The modular nature of the secrecy and authentication proofs for Kerberos makes it possible to reuse proofs about the basic version of the protocol for the PKINIT version that uses public-key infrastructure instead of shared secret keys in the initial steps.

[1]  John C. Mitchell,et al.  Inductive Proofs of Computational Secrecy , 2007, ESORICS.

[2]  Charlie Kaufman,et al.  Internet Key Exchange (IKEv2) Protocol , 2005, RFC.

[3]  John C. Mitchell,et al.  A derivation system for security protocols and its logical formalization , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[4]  John C. Mitchell,et al.  Protocol Composition Logic (PCL) , 2007, Computation, Meaning, and Logic.

[5]  John C. Mitchell,et al.  Secure protocol composition , 2003, FMSE '03.

[6]  F. Javier Thayer Fábrega,et al.  Strand spaces: proving security protocols correct , 1999 .

[7]  Andre Scedrov,et al.  Verifying Confidentiality and Authentication in Kerberos 5 , 2003, ISSS.

[8]  John C. Mitchell,et al.  A modular correctness proof of IEEE 802.11i and TLS , 2005, CCS '05.

[9]  Joshua D. Guttman,et al.  Mixed strand spaces , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[10]  Joshua D. Guttman,et al.  Strand Spaces: Proving Security Protocols Correct , 1999, J. Comput. Secur..

[11]  James Heather,et al.  Strand spaces and rank functions:more than distant cousins , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[12]  Steve A. Schneider,et al.  Temporal rank functions for forward secrecy , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[13]  Andre Scedrov,et al.  Breaking and fixing public-key Kerberos , 2006, Inf. Comput..

[14]  Alan Bundy,et al.  Constructing Induction Rules for Deductive Synthesis Proofs , 2006, CLASE.

[15]  John C. Mitchell,et al.  A derivation system and compositional logic for security protocols , 2005, J. Comput. Secur..

[16]  John T. Kohl,et al.  The Kerberos Network Authentication Service (V5 , 2004 .

[17]  Steve A. Schneider Verifying Authentication Protocols in CSP , 1998, IEEE Trans. Software Eng..

[18]  Zohar Manna,et al.  Temporal verification of reactive systems - safety , 1995 .

[19]  Larry Zhu,et al.  Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) , 2006, RFC.

[20]  Andre Scedrov,et al.  A formal analysis of ome properties of kerberos 5 using MSR , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[21]  Dan Harkins,et al.  The Internet Key Exchange (IKE) , 1998, RFC.

[22]  Xu Mei Internet Key Exchange , 2003 .

[23]  John C. Mitchell,et al.  A compositional logic for protocol correctness , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[24]  Steve A. Schneider,et al.  Towards the Rank Function Verification of protocols that use Temporary Secrets , 2004 .

[25]  Lawrence C. Paulson,et al.  Kerberos Version 4: Inductive Analysis of the Secrecy Goals , 1998, ESORICS.